CVE-2026-32886
Published: 18 March 2026
Summary
CVE-2026-32886 is a high-severity Prototype Pollution (CWE-1321) vulnerability in Parseplatform Parse-Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely application of vendor patches to remediate the stack overflow vulnerability in Parse Server versions prior to 9.6.0-alpha.24 and 8.6.47.
Protects against denial-of-service attacks by limiting the effects of remote unauthenticated requests that crash the Parse Server process via crafted cloud function names.
Mandates validation of information inputs like cloud function names to block crafted values that traverse the JavaScript prototype chain and trigger stack overflows.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack overflow via prototype chain traversal in public Parse Server cloud function endpoint allows remote unauthenticated crash of the Node.js process, directly mapping to application/system exploitation for endpoint DoS.
NVD Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.24 and 8.6.47, remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted…
more
function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow. The fix in versions 9.6.0-alpha.24 and 8.6.47 restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers. There is no known workaround.
Deeper analysisAI
CVE-2026-32886 is a stack overflow vulnerability in Parse Server, an open source backend deployable to any Node.js-compatible infrastructure. Versions prior to 9.6.0-alpha.24 and 8.6.47 are affected, where remote clients can crash the Parse Server process by invoking a cloud function endpoint with a specially crafted function name. This name traverses the JavaScript prototype chain of a registered cloud function handler, leading to the overflow. The issue is classified under CWE-1321 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By sending a request to the cloud function endpoint using the crafted name, the attacker triggers recursive property lookups along the prototype chain, resulting in a denial-of-service condition that crashes the server process and disrupts service availability.
The security advisory and associated pull requests detail the mitigation: upgrade to Parse Server versions 9.6.0-alpha.24 or 8.6.47, which restrict property lookups during cloud function name resolution to own properties only, blocking prototype chain traversal. No workaround is available. Relevant resources include the GitHub security advisory GHSA-4263-jgmp-7pf4 and pull requests #10210 and #10211.
Details
- CWE(s)